hey all,

i'm having a bit of virus issue at work that i can't seem to find info on. i've noticed on several XP machines the following entry in Internet Connections under the heading "Internet Gateways":
AOL Internet Gateway on ......
(it actually says a specfic users name but i don't want to publish it).
the name is the same on all the machine's. when i tracked down the specific user and scanned her machine for viruses i found the Troj/Momma-B virus present as well as programs like downloadware and medialoads. i removed the virus and the crapware programs associated with it. i've done some research on the virus and have found that it apparently installs an IRC client on infected machines allowing backdoor entry but nothing about installing an Internet Gateway entry. does anyone have experience with this virus? i can't seem to remove this Internet Connections entry from these other machines (allows me to disable but not delete). has anyone seen this or something similar to this behavior before? this virus is causing havoc on my network so any help would be appreciated.

http://www.sophos.com/virusinfo/analyses/trojmommab.html

http://www.sophos.com/support/disinfection/trojan.html

thanks for the links. i've actually looked at these sites (it was sophos that originally picked up the trojan). it explains that the trojan installs an IRC client and then connects to an IRC server upon startup. what i've been finding however is that other machines on the network are showing up with an entry in their Internet Connections for an internet gateway to the affected user's machine. then entry is as follows:
AOL Internet Gateway on "users_name"
(where "users_name" is the username of the user infected with Troj/Momma-B)
these other users however are not infected with the virus and i cannot delete the entry. all the involved machine (so far) have been XP Home Ed. i'm not sure if i'm explaining it very clearly, but it's the best i can describe. i don't suppose you (or anyone) has seen anything like this and knows what's causing it?

Just wondering how your LAN is setup and how it connects to the web. Presumably AOL is not your ISP.

no, this a campus-wide switched tcp/ip lan at a university. it's the residential network with about 1800 students spread throughout six dorms. several t1's running throughout campus. everything's behind a firewall and most students connect through a proxy server. we've shut several ports down because the firewall is picking up the DoS packets being sent out by infected machines. :mad:

It’s a lot of work.
But how about exporting the reg,
then edit . ( remove aol line)
then rename/backup infected and import cleaned reg file into new file

You may have already found these links but the momma trojan comes with quite a few aliases and variants.
home.ahnlab.com (http://home.ahnlab.com/english/aboutvirus/vinfoview.jsp?num=95)
see Variants/Aliases (http://vil.nai.com/vil/content/v_98936.htm#Variants)

I also wonder if some other malware could have been installed along with momma. Could it be worth running a second antivirus or antitrojan utility in addition to Sophos. I also found a link where Sophos had this trojan as a false positive at newsbin (http://www.newsbin.com/motd/motdarchive.htm), though that was in May and should by now have been updated.

I don't know if this gateway could actually be the irc connection using say ircnet.irc.aol.com (America Online) to run its DOS-attack.

Final thought; since this is only happening on WinXP boxes is there any way of running a restore to a point before the infection? Just wish I understood both NT-systems and networking better - but there are certainly peeps here who are real whiz-kids in this respect.